securing asp.net web applications
TRANSCRIPT
Securing ASP.NET Web Apps for .NET developers (mostly applicable on other platforms too)
About EBSCO
Began in 1944 as a small subscription agency
EBSCO Industries, Inc. is in many industries today
EBSCO Information Services (EIS)
Business Systems Engineering
7 development teams
Committed to Lean and CD
Robb Schiefer
8 years of service
Solutions Architect
Who is responsible for security?
Everyone, but management has to drive
Target CEO Gregg Steinhafel resigns following last year's …
Officials with the Maricopa County Community College District (MCCCD) voted
to fire Miguel Corzo the director of the district's information-technology
department in July 2014.
The Texas State Comptroller’s office fired an undisclosed number of
information security executives.
The governor of Utah fired the head of the state’s Department of Technology
Services (DTS) Stephen Fletcher…
http://www.csoonline.com/article/2859485/data-breach/9-data-breaches-that-cost-someone-their-job.html#slide10
How?
Make security a priority
Test for security
Require regular peer reviews
Perform security scans
It’s not as hard as you think!
Top Web Vulnerabilities
Source: Acunetix Web Application Vulnerability Report 2015
Average # of Open Vulnerabilities
Source: WhiteHat 2015 Stats Report
OWASP: The Open Web Application
Security Project
Established in 2001
Open community with Wiki-based site
Incredible resource for security information
https://www.owasp.org/index.php/Category:OWASP_.NET_Project
OWASP is an open community dedicated to enabling
organizations to conceive, develop, acquire, operate, and
maintain applications that can be trusted.
OWASP .NET Cheatsheet
https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet
Troy Hunt (Microsoft MVP), contributor - http://www.troyhunt.com/
Topics
.NET Framework Guidance
ASP.NET Webforms Guidance
ASP.NET MVC Guidance
XAML Guidance
Windows Forms Guidance
WCF Guidance
Install/Updates
Install server updates/patches
Get the latest .NET updates
Migrate to later ASP.NET versions
Update Nuget packages periodically
Take advantage of security improvements in later versions
DEMO: Default ASP.NET Site Security http://defaultaspnetsite.azurewebsites.net/
https://asafaweb.com/Scan?Url=defaultaspnetsite.azurewebsites.net
DEMO: ConfCore Site Security http://confcore.azurewebsites.net/
https://asafaweb.com/Scan?Url=confcore.azurewebsites.net
Security atrophy
Enable tracing
Release debug build
Leave ELMAH log enabled
Disable custom errors
Cross-site Scripting (XSS)
XSS = Moving from a data context to a code context.
http://localhost:1771/Presenters?message=test<script>alert('XSS');</script>
http://localhost:1771/Presenters?message=test<script>prompt('Please enter
your Social Security Number:', 'XXX-XX-XXXX');</script>
Validate your inputs against a character white list
<= ASP.NET 4 use Request Validation
ASP.NET Core avoid Html.Raw() unless against validated input
Can also apply to JavaScript text encoding
Other solutions as well (HTTP modules, etc.)
Transport Layer Security (TLS/SSL)
TLS/SSL is required for any secure site.
This isn’t a silver bullet.
Check the OWASP Transport Layer Protection Cheat Sheet for many rules
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
You are not qualified to write some
code
Encryption algorithms
Encryption is incredible complex and few people in the world are qualified to write
it
Leave it to professionals
Authentication code
Authentication or membership code may seem easy but you won’t cover all the
bases
Leave it to professionals
Example - Salted Password Hashing
Example - Cross Site Request Forgery
Data Hacks - Validation & Leakage
Validate Model Data
Just because you don’t put a field in the UI doesn’t mean the user can’t
change it
You must validate the data that comes from a user
$("#Biography").after('<input name="UserVotes" value="100"/>')
MVC provides the UpdateModel method on the Controller class
Sequential or Guessable Identifiers
Users are smart and will push the beyond the limitations of your UI
Sequential or guessable identifiers are an invitation
Block unintended usage by validation user access
Published SetParameters Files
WebDeploy Parameterization files should never be published
Mark their Build property to “None” in MVC 5 or less
Likely not a problem in ASP.NET/MVC Core
App Security Analysis Products/Services
ASafaWeb https://asafaweb.com/
Acunetix http://www.acunetix.com/vulnerability-scanner/
Cigital SecureAssist https://www.cigital.com/services/secure-development/secureassist/
Questions?
Feel free to reach out after the conference to ask more questions or provide
feedback. Thank you!
Robb Schiefer, Solutions Architect at EBSCO Industries, Inc.
@chief7
dotnetcatch.com
bhmdot.net
